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(54) System and method for protection of digital works 



(57) A method of protecting a digital work uses a 
blind transformation function to transform an encrypted 
digital work into encrypted presentation data. The orig- 
inator's digital content is protected in its original form by 
not being decrypted. This method enables the rendering 
or replay application to process the encrypted document 
into encrypted presentation data without decrypting it 



first. Encrypted presentation data is then decrypted just 
before it is displayed to the user. The blind transforma- 
tion function is a function of the original transformation 
function. For example, the blind transformation function 
may be a polynomial of the original transformation func- 
tion. Alternatively, both the blind transformation function 
and the original transformation function may be any mul- 
tivariate, integer coefficient affine function. 
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Description 
Copyright Notice 

. ,0001, ^^^^T^^Z^^^^^^^^ 
whatsoever. 

w Related Application ' 

t 00021 This application is a continuation-in-part application of application no. 09/178.529 filed October 23, 1998. 

Field of the Invention 

rnr.031 The invention relates to document rights management, and more particularly, to a method for Protecting digital 
works which ^employs a b ,ind transformation to transform encrypted digital works into encrypted presentation data. 

Background of the Invention 

rnnn .. 0ne Df the most important issues impeding the widespread distribution of digital documents or works via 
[0004] One of the ^most .rnpon of the in1e ,| e ctual property rights of content owners dunng the 

electron* commerce J the c "^ nt J^ ^or works. Efforts to resolve this prob.em have been termed "Intellectual 
distribute and ^ h °^'^ R d ^ Property Rights Managemenr ("DPRM"), "Intellectual Property Man- 

Pr ° PCrty t „ R ;K.T ^ZrManagemen " ("RM") "DigitalRights Managemenr ("DRM") and "Electronic Copyright Man- 
agemen IPM ) Rights » h 9 ^ ^ ^ ^ ^ ^ ^ q ^ d 

ZTsZy pe^ZZZl on dfgita. documents or works that they have acquired. Once accessed, the content 

7„«f L retributed or used in violation of the content owner's specification of rights, 
must not ^ d 'str,buted or useo I information subject to distribute or transfer, 

o "Td no but" e to cor re P nde™e books, magazines .journals, newspapers, other papers, software phcj> 
so mclud.ng bin t not hmrted to co P Qther mu|tjmedja tetions . A docume nt may be embodied 

° raP \ H fo™ on oaoer as dtaR al data on a storage medium, or in any other known manner on a variety of med,a. A 
dioiS wo k Ts Zerm is used 9 herein, is any document, text, audio, multimedia or other type of work or portion thereof 
d.gital ™ or *' a *™™™ m that can be replayed or rendered using a device or a software program. 
mooT in S S^rlia work created by an author is usually provided to a publisher wh|ch 
£ and SrinTs numerous copies of the work. The copies are then sent by a distributor to bookstores or other retail 

So* - K oTco^WS of distributing printed materia, have served as d = 

[0007] While the ow qua iiy vy » t modify, and redistribute unprotected elec- 

K^ror^inuane™ .no ,„. ,n,eme, Man, a„ em p ls ,0 p,o.,de „, rtma ,e-»« e a som.ions ,0 p.ev.m 
dunng document ^'^^.^^^^ Many djgita , rig hts management solutions rely on encrypting the digrtal 
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is both real and obvious. 

[0011] A "secure container (or simply an encrypted document) offers a way to keep document contents encrypted 
until a set of authorization conditions are met and some copyright terms are honored (e.g., payment for use). After the 
various conditions and terms are verified with the document provider, the document is released to the user in clear 
5 form. Commercial products such as IBM's Cryptolopes and InterTrust's Digiboxes fall into this category. Clearly, the 
secure container approach provides a solution to protecting the document during delivery over insecure channels, but 
does not provide any mechanism to prevent legitimate users from obtaining the clear document and then using and 
redistributing it in violation of content owners' intellectual property. 

[001 2] Cryptographic mechanisms and secure containers focus on protecting the digital work as it is being transferred 
10 to the authorized user/purchaser. However, a digital work must be protected throughout its use from malicious users 
and malicious software programs. Even if a user is a trusted individual, the user's system may be susceptible to attack. 
A significant problem facing electronic commerce for digital works is ensuring that the work is protected on the target 
consumer's device. If the protection for the digital work is compromised, valuable and sensitive information is lost. To 
complicate matters, today's general-purpose computers and consumer operating systems are deficient in the areas of 
15 security and integrity. Protecting the work throughout usage is a much more complex issue that remains largely un- 
solved. 

[0013] In the "trusted system" approach, the entire system is responsible for preventing unauthorized use and dis- 
tribution of the document. Building a trusted system usually entails introducing new hardware such as a secure proc- 
essor, secure storage and secure rendering devices. This also requires that all software applications that run on trusted 
20 systems be certified to be trusted. While building tamper-proof trusted systems is still a real challenge to existing 
technologies, current market trends suggest that open and untrusted systems such as PC's and workstations will be 
the dominant systems used to access copyrighted documents. In this sense, existing computing environments such 
as PC* s and workstations equipped with popular operating systems (e.g., Windows and UNIX) and render applications 
(e.g., Microsoft Word) are not trusted systems and cannot be made trusted without significantly altering their architec- 
ts tures. 

[0014] Accordingly, although certain trusted components can be deployed, users must continue to rely upon various 
unknown and untrusted elements and systems. On such systems, even if they are expected to be secure, unanticipated 
bugs and weaknesses are frequently found and exploited. 

[0015] Conventional symmetric and asymmetric encryption methods treat messages to be encrypted as basically 
30 binary strings. Applying conventional encryption methods to documents has some drawbacks. Documents are typically 
relatively long messages; encrypting long messages can have a significant impact on the performance of any appli- 
cation that needs to decrypt the document prior to use. More importantly, documents are formatted messages that rely 
on appropriate rendering applications to display, play, print and even edit them. Since encrypting a document generally 
destroys formatting information, most rendering applications require the document be decrypted into clear form before 
35 rendering it. Decryption prior to rendering opens the possibility of disclosing the document in the clear after the de- 
cryption step to anyone who wants to intercept it. 

[0016] There are a number of issues in rights management: authentication, authorization, accounting, payment and 
financial clearing, rights specification, rights verification, rights enforcement, and document protection. Document pro- 
tection is a particularly important issue. After a user has honored the rights of the content owner and has been permitted 
40 to perform a particular operation with a document (e.g., print it, view it on-screen, play the music, or execute the 
software), the document is presumably in-the-clear, or unencrypted. Simply stated, the document protection problem 
is to prevent the content owner's rights from being compromised when the document is in its most vulnerable state: 
stored, in the clear, on a machine within the user's control. 

[0017] Even when a document is securely delivered (typically in encrypted form) from a distributor to the user, it must 
45 be rendered to a presentation data form before the user can view or otherwise manipulate the document. Accordingly, 
to achieve the highest level of protection it is important to protect the document contents as much as possible, while 
revealing Ihem lo the user at a lale slage and in a form that is difficull lo recover into a useful form. 
[001f>= In 1hc- known sppiood ,<-? u- electronic docunv- r.i tiir trinuicr. thai r-i."iplo>- encryption, an enciypted document 
is rendered in several separate steps. First, the encrypted document is received by the user. Second, the user employs 
so his private key (in a public key cryptosystem) to decrypt the data and derive the document's clear content. Finally, the 
clear content is then passed on to a rendering application, which translates the computer-readable document into the 
finished document, either for viewing on the user's computer screen or for printing a hardcopy. The clear content is 
required for rendering because, in most cases, the rendering application is a third-party product (such as Microsoft 
Word or Adobe Acrobat Reader) that requires the input document to be in a specific lormat. It should be appreciated, 
55 then, that between the second and third steps, the previously protected document is vulnerable. It has been decrypted, 
but is still stored in clear electronic form on the user's computer. If the user is careless or is otherwise motivated to 
minimize fees, the document may be easily redistributed without acquiring the necessary permissions from the content 
owner. 



3 



EP 1 146 715 A1 



10 



15 



20 



25 



30 



35 



40 



45 



U limiting use of the digital work to a ^^J^ user intends to use to render 

private information or system state ^^^.J^^^^c^mtlon information such as system 
the digital work. System state rfoM etc. in these techniques, the digital 

parameters, CPU identif .er. device identrfiers. NIC . entire dnv cor 9 ^ encryption key. is encrypted 

content is encrypted using a sess,on key. then the ses s,on key i at h« than usmg he u nrp 
using a combination of the system or state- » tarn. ™ 

and key are transmitted to the dest.nat.on ^^J^JiSrSw* venf.es the user's identity and cre- 
a trusted authorizing entity (usually a remotely ■^^"^™^£ jry ^ the content for use. 
dentials, then together with system state, decrypts the ^ n ™™ e secure Micros0 ft MediaPlayer 

[0 020) Commercial applications such as the secure Adobe Acrobat reade ^ and the ^ 
Validate usage of the digital work by checking ^^J^^J^S^l cer tain device serial numbers. 
Among the user credentials are system device nden ^^^^!SSZ ! tS. specified device is present. 

themselves are particularly susceptible to the threat of spoofing. rendering application to 
[0021] The Acrobat Reader and MediaPlayer 

identify required devices on the usersystem as specified in the . '^ ense ^ cne and the use ^ s specified rendering 
a level of protectjor on the assumption that neither 

is decrypted to its clear state and then becomes asCmes the user will be sufficiently deterred 

out usage. Further, the user information approach » t^Mmfe « * JJSSnrton approach to succeed there 
from passing along his/her persona, information In <*™™£- '^^t Jand credential information, 
must be severe consequences for users who would reveal I their pnvate Jjjjj" the user 

[0 023, A ^sr^re^ to J*-™^ oTj^iJ^ which raises a concern regarding 
to divulge sensitive information (e.g.. I.KU »um»i 01 ' •> , „ M he „ 0 1 „sh 10 

pnvaoy issues. While .ho use. divutges he J^^^^Md. a pro.ec.ion sotane .ha. 

distributed document during the decryption and rendering processes. 
Summary of the Invention 

,0„ 25I A 6 e».p.o,ec,n 9 doeunten, (W*, • ^^.^SSKd'. l^SSS^SZ 

.ageso»hep,io,ad.Byeon«ln 9 an^ 

=r P r,Xn==n^ 

[0026] The SPD system is broken down be.ween « content creator <«n«°9 f(rnimpri1 Rnr! cecidef whal 

of the invention, various rendering faci.tties are a.s c ' P^,^^,^'^^ use) . In an alternative em- 

^rs^^^^ » — - - — 

provide trusted rendering. Hpcrvnted bv the user's system while simul- 
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may be cryptographically less secure than the encryption used for distribution, but serves to deter casual copying. In 
this embodiment, depolarization is performed during or after the rendering process, so as to cause any intermediate 
form of the document to be essentially unusable. 

[0029] In another embodiment of the invention, a method of protecting a digital work uses a blind transformation 

5 function to transform an encrypted digital work into encrypted presentation data. The originator's digital content is 
protected in its original form by not being decrypted. This method enables the rendering or replay application to process 
the encrypted document into encrypted presentation data without decrypting it first. Encrypted presentation data is 
then decrypted just before it is displayed to the user. This method improves the overall performance of the process 
(both decryption and rendering) by minimizing the decryption overhead (since pre-rendering decryption is generally 

to more time and resource consuming) and postponing the decryption to a late stage of the rendering process. 

[0030] Blind transformation orblind computing can be accomplished in oneof several ways. Most digital works include 
formatting information, which when encrypted cannot be processed by the replay or rendering application (the trans- 
formation function which transforms a digital work into presentation data). If the digital work is encrypted with a format 
preserving encryption scheme, any transformation function may be used. This is particularly useful in that any com- 

rs mercial replay or rendering application can process the encrypted digital work into encrypted presentation data. Oth- 
erwise the blind transformation function is a function of the original transformation function. For example, the blind 
transformation function may be a polynomial of the original transformation function. Alternatively, both the blind trans- 
formation function and the original transformation function may be any multivariate, integer coefficient affine function. 
[0031] Not all encryption schemes are format preserving encryption schemes. Additive encryption schemes may be 

so used with all document types and all associated transformation functions. In some replay or render applications, for 
some types of documents, portions of the format information may be left in the clear. In other types of documents all 
of the format information may be encrypted. In some types of documents, an additive encryption scheme may be used 
to encrypt the format information and any encryption scheme may be used to encrypt the content or data portion of 
the document. 

25 [0032] In particular, additive encryption schemes can be used to encrypt coordinate information of documents so 
that some rendering transformations can be performed on the encrypted coordinate data. In a special class of docu- 
ments token-based documents, for example, there are two places during the format-preserving encryption that use 
encryption schemes: one is for coordinate or location information x and y of the particular tokens within the document, 
and the other is for the dictionary of individual token images. In order to perform blind transformation on the individual 

30 coordinates of the particular tokens in the document, the first encryption scheme must be an additive encryption 
scheme However, the token dictionary may be encrypted with any encryption scheme. 

[0033] An encrypted token dictionary may still leak information such as the sizes of the token images. If this is a 
concern (such as if the token dictionary is small), the tokens can be padded with some extra bits before encryption. 
The padding can result in encrypted token images of a same size or several fixed sizes. For a token-based document. 
35 the coordinate information of the tokens in the dictionary may not be encoded. If it is desired that coordinate information 
be encoded say as Huffman codewords, the same approach that is used to encrypt the identifiers can be used to deal 
with this situation Basically, the codewords in location tables are left in the clear, and the codewords in the codeword 
dictionary are hashed using some one-way hash function and their corresponding coordinate information is encrypted. 
During rendering the codewords in the location tables are first hashed and then used to lookup their encrypted coor- 

40 dinate information. . 

[0034] In another embodiment of the invention, a digital work and a system context (or resource information or system 
resource) are polarized enabling trusted rendering or replay of the digital work without depolarization of the digital 
content In this embodiment, the digital work is of the type which includes digital content and resource information. 
Resource information may include information used by a replay application to format or process the digital work into 

45 presentation data Resource information may include, for example, a collection of system resources available to the 
replay software on a particular system, such as the Font Table, Color Palette, System Coordinates and Volume Setting. 
10035] Diflerenl types ol digital works may be polarized. In addition lo polarizing typical document type digital works, 
...udi,- t...c. vic.ec- dicitc.! wen:* ccr, r« pc i.-..i:.«\ 1 he dioiia: wen. t.r.c fyru-v. . onu-y, *.:<■ pelr.rir.ee. at £ mane- 

laclurer or content owner's location using a polarization engine. A polarization engine is a component used to transform 

so the digital work and system context to their respective polarized forms. The polarization engine employs a polarization 
scheme which relies on some polarization seed, an element used to initialize and customize the polanzation engine. 
[0036] Various polarization schemes may be used to polarize a digital work. For example, a stateless polarization 
employs a random number as a seed to transform a digital work into a polarized digital work. A state-based polanzation 
scheme employs a seed based on a system state or characteristic of a system to transform a digital work into a polarized 

55 digital work that is associated with that system state or characteristic. A dynamic state-based polarization scheme 
employs a seed based on a dynamic system state or characteristic to transform a digital work into a polanzed digital 
work In this embodiment, the polarized digital work will typically be provided with a polarization engine for repolarizing 
the encoded digital work and the encoded system context according to the dynamic state-based polarization scheme 
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eachtimethesystemre^^ 

based on authorization information .^^^JL^^Sred separately from the polarized digital work in a 
work. For further security, the po.a use of the digital work, 
removable context dev.ce, wh.ch must be ~"f'f d l ° which can be used to tie the particular digital work to 

l0 037] Preferably the po.arizat.on s f 

the ultimate end user or an ultimate end user system Really the ow ^ ^ ^ M rf ^ 

scheme to be used in polarizing ^^^^^SZ different levels of complexity and strength. When 
digital work. Like encrypt.on schemes, P°'f^ f w "f ^"^.g resource information, called the system context, is 
a digital work is ordered, a copy o ^^^JSS^SS. system context are polarized. A different 
made. The polarization seed ,s •f^™^£2^ is used for the digrtal wolk. However the polanzat.on 

Mm a po,arized di9ital work int0 c,ear 

presentation data. noiarized leaving the resource information unpolarlzed or in the 

^0039] If only the digital content of a ^ work ,s J^^Jg,, WQrk int0 polarized prese ntation data. This 
clear, the replay application will be able to process ^tne po .a inz y ft b , e for viewing or use by 

means a depolarizer must depolarize the P-s-ta,on da*a when the replay application 

the user. If a portion of a digital work's resource rtomjton* a so po a J in , orm ation to transform 

^ansformsthepolarized digital work, thereplayapp.« 

the polarized digital work into clear presentation da a. A I 8 q unpolarized digital content, 

polarized. The replay is blind in that the rep lay apple* application using a polarized system 
[00401 in this embodiment, a polarized ^^^""2^^ application can be any commercial orthird 
context (resource information) to create dear J^^^J^JJS. presentation data and no depolarizer 
party application. The replay application need not be * 1em (it processe s polarized digital content 

engine's required. The replay ^^•'^ " •J'J^^^ tran P sform s or encodes the digital work 

S^XSS^^^ device is ,ied t0 8 spec ' rfic resource 

nto its clear form before the digital work « provided to therapy «PP ,I « ^ u P nt / tne last possib le moment 

work encoded in the polarized form (there <m ^•JJ^SSSffJlI^ neve! depolarized in the clear. Since 
of the replay ^J^^^^J^^^ work, even . the presentation data is captured 

[0 042] Many different types ^^^^^^Z^S^ «k and Jideo files may be replayed in the 

SeX^-~ 
Brief Description of the Drawings 

may be described as follows: 

FIGURE 1 is a ,op-,ve. blocK diagram representing a model lor the ciealion and commercial distribution of elec- 
tronic documents in either secure c-.^mr.ir occment. according to the art; 
FIGURE I VZl ~ of Protected e.ectronic documents according to a simple 
SS^^S^iu*-""" the decryption of protected electronic documents accordingto a preferred 
SS^? iETSK* diagram illustrating the data structures present in a self-protecting document ac- 
5 -d customization of a seK-protecting document according to 
T^B^T^TiL a user's perspective, i.iustrating the actions performed in handling and using a 



6 



EP 1 146 715 A1 



self-protecting document according to the invention; 

FIGURE 8 is a graph illustrating several possible paths between an unrendered and encrypted document, and 
rendered and decrypted presentation data; 

FIGURE 9 is a flow diagram illustrating a polarization process according to the invention in which document format 
s information remains in the clear for rendering. \ 

FIGURE 10.is a block diagram of a method of format preserving encryption and trusted rendering according to the 

invention; 

FIGURE 11 is a simple example of a document to be tokenized; 
FIGURE 12 is the token dictionary for the document of Fig. 11; 
10 FIGURE 13 is the location table for the document of Fig. 11 ; 

FIGURE 14 is a block diagram illustrating a process for generating a polarized digital work and polarized system 
resource according to the invention; 

FIGURE 15 is a block diagram illustrating the conversion of a digital work into image data according to the art; 
FIGURE 16 is a block diagram illustrating a system for blind replay of a polarized digital work according to the 
15 invention; 

FIGURE 17 is a block diagram illustrating another system of blind replay of a polarized digital work according to 
the invention; 

FIGURE 18 is a block diagram of an example structure of a digital document; 
FIGURE 19 is an example digital document; 
20 FIGURE 20 is an example of the digital document of Fig. 16 after it has been polarized; 

FIGURE 21 is block diagram of an example structure of a resource information or system context for a digital 
document; 

FIGURE 22 is a block diagram of an example font table; and 

FIGURE 23 is block diagram of the font table of Fig. 22 after it has been polarized. 

25 

Detailed Description of the Preferred Embodiments 

[0044] The invention is described below, with reference to detailed illustrative embodiments. It will be apparent that 
the invention can be embodied in a wide variety of forms, some of which may be quite different from those of the 
30 disclosed embodiments. Consequently, the specific structural and functional details disclosed herein are merely rep- 
resentative and do not limit the scope of the invention. 

[0045] Figure 1 represents a top-level functional model for a system for the electronic distribution of documents, 
which as defined above, may include correspondence, books, magazines, journals, newspapers, other papers, soft- 
ware, audio and video clips, and other multimedia presentations. 

35 [0046] An author (or publisher) 110 creates a document's original content 112 and passes it to a distributor 114 for 
distribution. Although it is contemplated that the author may also distribute documents directly, without involving another 
party as a distributor, the division of labor set forth in Figure 1 is more efficient, as it allows the author/publisher 110 to 
concentrate on content creation, and not the mechanical and mundane functions taken over by the distributor 114. 
Moreover, such a breakdown would allow the distributor 114 to realize economies of scale by associating with a number 

40 of authors and publishers (including the illustrated author/publisher 110). 

[0047] The distributor 114 then passes modified content 116 to a user 118. In a typical electronic distribution model, 
the modified content 116 represents an encrypted version of the original content 112; the distributor 114 encrypts the 
original content 112 with the user 11 8's public key, and modified content 116 is customized solely for the single user 
118. The user 118 is then able to use his private key to decrypt the modified content 116 and view the original content 

45 112. 

[0048] A payment 1 20 for the content 1 1 2 is passed from the user 1 1 8 to the distributor 11 4 by way of a clearinghouse 
122. The clearinghouse 122 collects requests Irom the user 116 and Irom other users who wish to view a particular 
dci.ui.if-ir.. cieaiinolK i.-i i li:: U: i caA'imi p <'-; «'•'.(■ m imnnviiMicM., suc.i. « .■ c-.f-hi: sif.sv onion:., •-rfrclii cere! lrr.ns?if ■ 
tions. or other known electronic payment schemes, and lorwards the collected users' payments as a payment batch 
so 124 to the distributor 114. Of course, it is expected that the clearinghouse 122 will retain a share of the user's payment 
120. In turn, the distributor 114 retains a portion of the payment batch 124 and forwards a payment 126 (including 
royalties) tothe author and publisher 110, In one embodiment of this scheme, the distributor 114 awaits a bundle of 
user requests for a single document before sending anything out. When this is done, a single document with modified 
content 11 6 can be generated for decryption by all of the requesting users. This technique is well-known in the art. 
55 [0049] In the meantime, each time the user 1 1 8 requests (or uses) a document, an accounting message 1 28 is sent 
to an audit server 130. The audit server 130 ensures that each request by the user 118 matches with a document sent 
by the distributor 114; accounting information 131 is received by the audit server 130 directly from the distributor 114. 
Any inconsistencies are transmitted via a report 132 to the clearinghouse 122, which can then adjust the payment 
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self-protecting documents. < Fiaure *n in a prior art system for electronic 

u! er ova, a'puMp net»o*, . tri . ^ ^^^"^S^..,*^-,™. 
[0052] At the outset, an encrypted document 210 is JL ^ „ slore d locally at lite 

encrypted documents at the user 118 s sysxem. m simp.* ^ lirMnt Qin i* nassed to a decryption step 312 

ional layer of protection is provided by a protecting sheH SO TN ^protecting she 1 320 alio ^ 

contents 420. AH otme. P document between decrypting it and polarizing it. 

;roC'.n-er™ 

Fvsiem time would have r.hanppd too much. nassed to a rendering appli- 

polarized contents 420, as the contents, any formatting codes, and other cues used by tne 

scrambled in the polarization'process. fault-tolerant, or it must receive po- 

Eco=;rr^^^^ 

'S^JS.'Slig .ppKaPpn is pMM Pteeentatlon data 42S, wPtcP Pas Pean — b» the 



8 



EP 1 146 715 A1 

rendering application 424 but is still polarized, and hence not readable by the user. The polarized presentation data 
426 is passed to a depolarizer 428, which receives the polarization key 418 and restores the original form of the 
document as presentation data 430. In one embodiment of the invention, the depolarization function is combined with 
the rendering or display function. In this case, the polarized presentation data 426 is received directly by a display 

3 device, which can be separate from the user's system and receive data over a communications channel. 

[0063]' Creation of the polarization key 418, the rendering application 41 8, and the depolarization step 428 are all 
elements of the protecting shell 422; these are tamperresistant program elements. It is contemplated that all compu- 
tational (or transformation) steps that occur within the protecting shell 422 will use local data only, and will not store 
temporary data to any globally accessible storage medium or memory area; only the explicit results will be exported 

1 o from the protecting shell 422. This approach will prevent users from easily modifying operating system entry points or 
scavenging system resources so as to intercept and utilize intermediate data. 

[0064] It should be noted that the presentation data 430 of Figure 4, in alternative embodiments of the invention, can 
be either device independent or device dependent. In the device-independent case, additional processing by a device 
driver (such as a display driver or a printer driver) typically is necessary to complete the rendering process. In the 
13 presently preferred device-dependent case, the device-specific modifications to the presentation data have already 
been made (either in the rendering application 424 or the depolarizing step 428), and the presentation data 430 can 
be sent directly to the desired output device. 

[0065] The decryption schemes described with reference to Figures 3 and 4 above are enabled by a unique document 
structure, which is shown in detail in Figure 5. As discussed above, certain operations performed by the system and 
20 method of the invention require trusted components. One way to ensure that certain unmodified code is being used to 
perform the trusted aspects of the invention is to provide the code along with the documents. The various components 
of a self-protecting document according to the invention are illustrated in Figure 5. 

[0066] The problem of document protection is approached by the invention without any assumptions on the presence 
of trusted hardware units or software modules in the user's system. This is accomplished by enhancing a document 
25 to be an active meta-document object. Content owners (i.e., authors or publishers) attach rights to a document that 
specify the types of uses, the necessary authorizations and the associated fees, and a software module that enforces 
the permissions granted to the user. This combination of the document, the associated rights, and the attached software 
modules that enforce the rights is the self-protecting document ("SPD") of the invention. A self-protecting document 
prevents the unauthorized and uncontrolled use and distribution of the document, thereby protecting the rights of the 

30 content owners. ^ ♦ 

[0067] The self-protecting document 510 includes three major functional segments: an executable code segment 
512 contains certain portions of executable code necessary to enable the user to use the encrypted document; a rights 
and permissions segment 514 contains data structures representative of the various levels of access that are to be 
permitted to various users; and a content segment 516 includes the encrypted content 116 (Figure 1) sought to be 

35 viewed by the user. _ . , , . 

[0068] In a preferred embodiment of the invention, the content segment 51 6 of the SPD 510 includes three subsec- 
tions- document meta-inf ormation 51 8 (including but not limited to the document's title, format, and revision date), rights 
label information 520 (such as a copyright notice attached to the text, as well as rights and permissions information), 
and the protected content 520 (the encrypted document itself). 

40 [0069] In one embodiment of the invention, the rights and permissions segment 514 includes information on each 
authorized user's specific rights. A list of terms and conditions may be attached to each usage right. For example, user 
John Doe may be given the right to view a particular document and to print it twice, at a cost of $10. In this case, the 
rights and permissions segment 514 identifies John Doe, associates two rights with him (a viewing right and a printing 
right), and specifies terms and conditions including the price ($10) and a limitation on printing (twice). The rights and 

45 permissions segment 514 may also include information on other users. 

[0070] In an alternative embodiment, the rights and permissions segment 514 includes only a link to external infor- 
mation specitying rights inlormation. In such acase, the actual righls and permissions are stored elsewhere : lor example 
lii.i.i.c-iworKeu peiTriits.il ■nt.ervt-L wi,kl,iv,uMr-»- c,u<- -rifec. r^h limfe the- c:i..-:is:.-.f i.s i: v. :.«■ i>; c.\ ~\ r, is spritzer, picvioes 
the advantage that rights and permissions may be updated dynamically by the conient owners. For example, the price 

so for a view may be increased, or a user's rights may be terminated if unauthorized use has been detected. 

[0071] In either scenario, the rights and permissions segment 514 is cryptographically signed (by methods known 
in the art) to prevent tampering with the specified rights and permissions; it may also be encrypted to prevent the user 
from directly viewing the rights and permissions of himself and others. 

[0072] The executable code segment 512, also called the "SPD Control/' also contains several subsections, each 
55 of which comprises a software module at least partially within the executable code segment. In one embodiment of 
the invention the Java programming language is used for the SPD Control; however, it is contemplated that any plat- 
form-independent or platform-specific language, either interpreted or compiled, can be used in an implementation of 
this invention. 
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,0073] A rights -.orc« 524 „ proson, to v„»» « ^ J"** » ^^"X SC^^ 

[0076] A counterpart depolarization eng.ne 528 « also J"**** , an*M P-m P , inMrtace 
!,om L polarized eonten, ,s.e Figure *™SrSTS w»S^V =28 Is 

ss^kt- ■rr™.' sjnrssi » - - - - - - — — 

Lhe, depoiarizalidd whip* depend, en to, exa^e »» "J-^S^ST segment 512. Too soco,. .lowor 530 Is 

Ko*^".^ 

^pr^ro^^^ 

systems. included or referenced within the executable code segment 512. The ran- 

Ken^^^ 

So79] The foregoing aspects and e.ements of the selecting document 510 w... be discussed in further detai. 

specification 614; and ar .optional tQ , out the document as des ired by the author or pubiisher. 

10081] The content 612 .s pre-proc essed J st ^ 6 J °> * be £filected . ^ conten t 612 is essentially "pre-ren- 
For example, a preferred page size, font, and page layout may oe »e comDatib | e witn US ers' systems and the 
dered" in the content pre-processing step so that rt w, I be .n a tonjar hat » ^JJJJJ Acrobat (-.PDP) format 
SPD. For example, the content 612 may be ^f^Zl^lZe^le 532 (Figure 5) , n one embodiment of the 

rig nts specification tailored to a papula d ^ J^ 6 ^?^ right t0 distrlbute up to 100.000 copies of a 

S . ll^ denned eter.nce ,o . detailed oxen**, I. so, odd de da, „ 

ficotioos 8,0 represented os aotom.nl. ,n DPRL. F ordeM * itj.. y Rights Where the 

U=H cation. difto.enl sots ol rights applidadl. .10 th.a work ar >•£•«*•* ^UoSlSon. Cdndilidns con bo of 

in,^,^ - — - — - — M 
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can be performed, and so on. DPRL allows different categories of rights: transfer, render rights, derivative work rights, 
file management rights and configuration rights. Transport rights govern the movement of a work from one repository 
to another. Render rights govern the printing and display of a work, or more generally, the transmission of a work 
through a transducer to an external medium (this includes the "export" right, which can be used to make copies in the 
clear). Derivative work rights govern the reuse of a work in creating new works. File management rights govern making 
and restoring backup copies. Finally, configuration rights refer to the installation of software in repositories. 
An exemplary work specification in DPRL is set forth below: 

(Work: 

(Rights-Language- Version: 1.02) 

(Work-ID: "ISDN- 1 -55860-1 66-X; AAP-2348957tut") 

(Description: "Title: 'Zuke-Zack, the Moby Dog Story* 

Author. 'John Beagle* 

Copyright 1994 Jones Publishing") 
(Owner (Certificate: 

(Authority. "Library of Congress") 
(ID: "Murphy Publishers"))) 
(Parts: "Photo-Celebshots-Dogs-23487gfj" "Dog-Breeds-Chait-AKC") 
(Comment: "Rights edited by Pete Jones, June 1996.") 
(Contents: (From: 1) (To: 16636)) 
(Rights-Croup: "Regular" 

(Comment: "This set of rights is used for standard retail editions.") 
(Bundle: 

(Time: (Until: 1998/01/01 0:01)) 

(Fee: (To: "Jones-PBLSH-18546789"XHouse: "Visa"))) 

(Play: 

(Fee: (Metered: (Rate: 1.00 USD) (Pen 1:0:0) (By: 0:0:1)))) 

(Print: 

(Fee: (Per-Use: 10.00 USD)) 

(Vnv.lfn 

(Certificate: 

(Authority: "DPT" 

(Type: *TrustedPrinter-6"))) 



(Watermark: 
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(Watermark-Str. 'Title: 'Zeke Zack - the Moby Dog' Copyright 
1994 by Zeke Jones. All Rights Reserved.") 
5 (Watennark-Tokens: user-id institution-location render-name 

render-time)))) 

w (Transfer ) 

(Copy: (Fee: (Per-Use: 10.00 USD))) 

(Copy: (Access: 
15 (User. (Certificate: 

(Authority. "Murphy Publishers**) 

(Type: "Distributor"))))) 



20 



25 



30 



35 



40 



45 



5C 



55 



(Delete:) 
(Backup:) 

(Restore: (Fee: (Per-Use: 5.00 USD))))) 



[0085] 



. t5] Thisworkspeclf^ 

of a book titled "Zuke-Zack, the Moby Dog Story. The wo* twQ Qther parts , a photograph and 
print, transfer, copy, delete, backup, and restore. The work wr »."J* condjtions tnat 

a chart of breeds incorporated from ^ r ^^ t ^ to J^^ group are valid until January 1 . 1 998 and 
apply to all rights in the group. This ^^^J^^^ £S5 house for this transaction should be 
that the fee shou.d be paid to account "^"?2^2SJJS^$lT^nr hour. where fee is ^ cumulated * 
Visa. The following contract applies: the ^^ffi?S "D?P for a fee of $10.00 per print; the 
the second; the work can be printed on TrustedPnn^r-6 which s certmed M* " ., fingerprinr information known 
printed copy should have ^^^^^^^^^^^ a" distributor certificate from 
at the time K is printed; this work can be °?T*^J*£™£^ wor k is permMed (restoration costs $5.00). 
Murphy publishing; and unrestricted .tiansto "^H^^lng «tep (step 620), in which the high- 

e . T h^s:» 



[0086] 

level (i 



author/publshe. 110 (or transmission to me «•»»»» (f« u ™ a „ a ,« um to. later cuetomlz=«on. When a 

or. that users behalf (othei the... .=.. optional nolHicat.o,. me»«.j* ^ ^ 630) a customi2ed SPD 

l0 0b9) The user permiss.on, and the user's pubhc key 6,b are them sed to* P > jssions 

l 6 32 adapted to be used by the user. T "7~^ in the content segment 516 
segment 514 of the SPD 632, and the user's public ^^^^Sm the SPD from the generic form to the 

of ?he SPD 632. A public-key e -^ io ^ different 

p^e^ 
can be used to decrypt it. 
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[0090] The resulting custom SPD 632 is then transmitted to the user 118 by any available means, such as via a 
computer network or stored on a physical medium (such as a magnetic or optical disk). 

[0091] The operations performed when a user receives an SPD are depicted in the flow diagram of Figure 7. The 
SPD is first received and stored at the user's system (step 710); in many cases, it is not, necessary to use the SPD 

5 right away. When usage is desired, the user is first authenticated (step 7 1 2), typically with a, user name and a password 
or key. The system then determines what action is desired by the user (step 714). When an action is chosen : the rights- 
enforcement step of the invention (step 716) verifies the conditions associated with the desired action (such as the 
fee, time, level of access, watermark, or other conditions); this can be performed locally via the SPD applet 51 2 (Figure 
5) or by accessing a rights enforcement server. 

10 [0092] If the rights enforcement step (step 716) fails, an update procedure (step 718) is undertaken. The user may 
choose to update his permissions, for example by authorizing additional fees. After the satisfactory verification of con- 
ditions, a pre-audit procedure (step 718) is performed, in which the SPD system logs verification status to a tracking 
service (e.g., the audit server 130 of Figure 1). The content is then securely rendered to the screen (step 722) as 
discussed above. When the user is finished, a post-audit procedure (step 724) is performed in which the amount of 

is usage is updated with the tracking service. The SPD system then awaits further action. 

[0093] The protection yielded by the SPD is derived from the user's inability to capture a useful form of the document 
at any intermediate stage during the rendering process. This is accomplished by decrypting the document contents to 
a clear form at the latest possible stage, ideally in the last step. 

[0094] The SPD decryption model is illustrated in Figure 8. E denotes the encryption function performed by the 
20 publisher, D denotes the decryption performed at the user's system, and R denotes the rendering transformation. Many 
prior systems use a first sequence of transformations 810, D(E(x)) followed by R(D(E(x))). As stated previously, the 
early decryption leaves the document in a vulnerable state. Ideally, the transformations are performed in the reverse 
order 812, R'(E(x)) followed by D(R'(E(x))). This postpones decryption to the latest possible time. 
[0095] The existence of R', a rendering operation that can be performed before decryption, is determined by the 
25 following equality: 

D(R'(E(x)))=R(D(E(x))) 

30 In case that the encryption and decryption functions are commutative, that is, E(D(x)) = D(E(x)) for any x, the existence 
of R* is ensured: 

R'(y)=E(R(D(y)))fory=E(x) 

35 

In practice, encryption and decryption functions in popular public-key cryptographic systems such as the RSA system 
and EIGamal discrete logarithm system satisfy the commutation requirement. This means that the transformation R' 
exists if these cryptographic systems are used for encryption and decryption. 

[0096] The path x' = D(R'(E(x))) portrays an ideal SPD solution to the document protection against unauthorized 
40 document usage and distribution. A scenario of distributing and using a document can be described as follows. When 
a user purchases the document, the document is encrypted using a user's public information and is transmitted over 
an insecure network channel such as the Internet. The encrypted document has the rights information attached to it 
and a protecting applet 512 that enforces the rights and permissions granted to the user by the content owner. Upon 
a user's request on using the document, the applet verifies the rights and permissions and generates from the encrypted 
45 document the presentation format of the original document. As any intermediate form of the document before the final 
presentation dala is encrypted with the user's private information, the SPD model of document protection ensures that 
any intermediate form of the document if. not useful to other systems wherever it is intercepted. 

|O0S7 j Clearly : this idea iv.c.oti relies on whether ih : ir.i- Iran* r iormRik -n (-.' Ur<A corresponds to the rendering 
transformation R can be commuted efficiently, and in particular on whether or not an invocation of the decryption function 
so D is necessary during an implementation of R'. A trivial case in which R' can be implemented efficiently is where R is 
commutative with the encryption function E. When this happens, 



55 



R'(y) = E(R(D(y))) = R(E(D(y))) = R(y) 

for y = E(x). In this case, R' = R. 
[0098] Consideration of Figure 8 reveals that many intermediate solutions (e.g., intermediate solutions 814, 816, 
and 818) to the document protection problem may exist on the user's system between the two extremes x' = R(D(E 
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. . «n v rvF/*tt and x" = D(R'(E(x))), which has ideal protection (under the assumptions 

SETTS: 7«SSSS^!S^ i * a „, Pau , _ « 

level to the document. mothrtH of rteiavino decryption to the last possible moment employs a 

[0099] As discussed above, one alternate method of de laying decrypt on w docume nt as a whole. 

polarization technique that encrypts onj MJJ ^^^J^ jt should be note d. does 

This possibility is shown but is rather a transient state occurring within 

not exist in any single .deniable location *™0 «" ^f-^ate portion 914 and a format portion 91 6. The data portion 
step 41 2 of Figure 4). the document ,s spirt (step 1 J^data portion £ j c(ear f ^ ^ g 

914 is polarized (step ^^S"^^ o poTaSed resentation data without first decrypting the 
This results in polarized content 924 tha can be ™° * than wholesale encryption wrth the 

content. It should be observed that this form ol dt!Sd fS. the layout of a document, word lengths, line 
polarization key. since a lot of informa t.on can JJ^J^^ELl copyright infringement. 
,engths, etc; however, this '^^^^f^SS^ ^ploys a bind transformation function is shown 
[0100] A method of protecting a digital work °"™9 'ep'av ™ * 0 is orovided to replay application 1012. Digital 
with reference to Figure 10. In Figure 10. """J^ 1 ^ replay application 1012 to 

work 1010 has been encrypted with a format ^ mB ^^^^^ 0 ^ tnen sen t to decryption engine 1018 
generate encrypted presentation data ^^^T^SSm^^i now in the clear, but .ess likely to be 
where it is decrypted into clear presentation ^J^*^Sn* viewed or used directly by the user, then no 
regenerated into the original digrta. form. If presented ion J^^J^i* by a display system such as a 
further processing is required. However somet.mes n a ^^S^Se rendering application (in the case 

SZ^^^t^^™"^ ima9e ™ ,ma9e data 1024 is then p 

wants a server Steve to *-P ute '^^^^^^ Steve knowing her private data X 

x, and Cathy wishes, for privacy concerns that the «« 0 ™" hfi computes F(a , X ) for Cathy but with his 

and the function value F(a.x). From Steve's point of y ew th « mea " 8 P rform ^ transformation only wrth 

eyes blindfolded. What this means is that Cathy again encrypted using her key 

data E k (x) encrypted using Cathy's key k, ^^^JHS SSJ has avo ded disclosing the data x in the 



below: 



(a,*)— &-Ka,E(x)) 
Ft i F* 

F(a.x)<-5— F'(fl.^(x)) 

^ tlta ic what cteve really computes, and the transformation result P(a,E k 

(x)) = E k (F(a,x)) is reaay 101 u cpir r iGS out a "blind" transformation for Cathy. 

(i) Cathy encrypts x using her encryption key k, resulting E (: (x). 
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that the server computes private to the client, but they differ in that the client supplies the data input and the server 
supplies (a program that evaluates) the function in blind transformation, while it is the other way around in secure 
mobile computing. Note that blind transformation allows some portion of the data (e.g., a) to be in clear. This enables 
use of some dynamic yet clear data in the rendering process, such as display window s^ize, reference positions for 

5 shifting content, scaling factor and coefficients in a rotation operation. , 

[0104] Blind transformation works only if there exist functions F and P to compute the encrypted data. It can be 
shown that multivariate, integer coefficient affine functions using additive encryption schemes permit many document 
rendering functions of the affine type on the x- and y-coordinates to be evaluated in blind transformation. For a given 
encryption scheme S, a function F: X -> X is said to be S-blindly computable if there exists some function P : X — » X 

10 such that the computational complexity for evaluating P is a polynomial of the one for evaluating F, and 

F(a,x) = D k * 1 (P(a,E k (x))) 

is for any k e K and xGX.A function F: X -> X is said to be blindly computable if there exists an encryption scheme S 
with X being a subset of its message space such that F is S-blindly computable. 

[01 05] Any multivariate, integer-coefficient affine function is S-blindly computable for any additive encryptio n scheme. 
Specifically, let 



20 



25 be a multivariate affine function with a constant x 0 £ X, integer coefficients a } and variables x v ... x k in X. Then, for 
any key k €= K, there exists a computationally efficient function 



30 



such that 

35 4 

rol 

40 Indeed, the constant y 0 and integer coefficients b t in ^ ^ can be taken to be y 0 = E k (x 0 ), bj = aj, i= 1 k. The 

blind transformation of multivariate, integer coefficient affine functions using additive encryption schemes allows many 
document rendering functions of the affine type on the x-and y-coordinates to be evaluated in the blind manner, pro- 
viding a theoretical foundation for the form at- preserving encryption and trusted rendering of documents described 
herein. 

45 [0106] A document is usually a message that conforms to a certain format. For document encryption, in addition to 
simply encrypting the entire document there are many different ways to encrypt only some parts of the document. The 
goal here is that the information leakage about the unencrypted portion cannol be used, or if it does leak, it is compu- 
talK.nalh diliioult ic. recons in id ihc- c.ifec.:. crioincl oo;"i»rnt- r.. 

[0107] If an encryption scheme which preserves formatting information of the digital work, then any transformation 
50 function (replay application or rendering application) may be used. An example of a format preserving encryption meth- 
od is described for convenience with reference to token-based documents. The method for format-preserving encryp- 
tion can be easily extended or applied to documents in other formats (such as HTML/XML, Microsoft WORD, Acrobat 
PDF, etc.). In a token-based format such as the Xerox DigiPaper, each page image of a document is represented as 
a "dictionary" of token images (such as characters and graphics elements) and location information (indicating where 
55 those token images appear in the page). Thus, multiple occurrences of the same token in the document can be rep- 
resented using just a single image of that token in the dictionary. 

[01 08] The process of rendering a document in such a format is then accomplished by consecutively reading in token 
locations, retrieving images of the tokens from the dictionary and drawing the images at the specified locations. The 



15 



EP 1 146 715 A1 



10 



15 



im, g e, where id M is .he ■oker 
(K-D-ih token occurrence ,n the page. ^'"^^"Z^J^^ ,„ Bgure5 ,2 ,nb 13 respectively, 
and lecation table (using », y coordtnates) lor his * 0 ^™" 9 3" , " 0 , , aoeljme „, o are renders. In 

[oln o, Tne cohen* ^^^^^S^SLSp^. U-MXTMW - a a—a 
the code. to,, y 0 are the base references lor rna y ( M T correspo „ dlng ,„ ,he 

ssra si ««. . — -.on <*,,. 
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Render(D) 
{ 

Load T into memory 
fori=ltoPdo 

{ 
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Load Lj into memory 

x = Xo 

y = yo 

fork= 1 toEUdo 
{ 

x = x + x[k] 

y = y + y[k] 

t = Lookup(T4dM) 

Draw(x,y,t) 



45 

) 



• _ v - v = v + b as used in the schematic rendering process 

[01 1 3] Rotation. The rotatiqn transformation is 



55 
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is 



mm 



l 
l 

for some constants a, b, c, d, which form a 2-by-2 rotation matrix. This transformation is needed when the page image 
is rotated. 

[0114] Affine Transformation. An affine transformation is one of the form x = ax + by + e; y = cx + dy + f Tor some 
constants a, b, c, d, e, f. In the vector form, it is: 



EH: m\ 



Clearly, shifting, scaling and rotation transformations are special cases of affine transformations. It is those affine type 
transformations that make it possible to achieve a high-level trusted rendering under encryption of coordinate infor- 
mation using additive encryption schemes described below. 
20 [0115] A special class of encryption schemes, namely, additive encryption schemes, are used to carry out blind 
transformation of functions of the affine type, which provides a foundation for trusted rendering of documents. Blind 
transformation by a rendering transformation R and FT of an encrypted document satisfies the relationship: D(R , (E(x))) 
= R(D(E(x))), where E is an encryption function and D is a decryption function for E. If E(x) is an additive encryption 

scheme, then R' « R. . 
25 [0116] An encryption scheme S generally consists of basically five components: (i) a message space X which is a 
collection of possible messages, (ii) a ciphertext space Y which is a collection of possible encrypted messages, (iii) a 
key space K which is a set of possible keys, (iv) a computationally efficient encryption function E: Kx Y and (v) 
a computationally efficient decryption function D : K x X . For each key k €E K, there is a unique key H.G K, such 
that the encryption function E k = E(k,) :X^Vand decryption function =D(tc\):Y->X satisfy that, for every 
30 message x G X, D* 1 (E k (x)) = x. The key k is called an encryption key and Ic 1 its corresponding decryption key. 

[0117] Such defined encryption schemes can be varied in several ways to cover a wide range of concrete encryption 
schemes used in practice. One variation is to consider whether or not keys used for encryption and decryption are 
different. In the case where all encryption keys k are same as their corresponding decryption keys Ic 1 , the scheme is 
a symmetric (or private-key) one; otherwise, the scheme is asymmetric. In the case where, for all possible k, Ic 1 is 

35 different from k and computationally difficult to derive from k, the scheme is a public-key encryption scheme. 

[0118] Another variation is to differentiate deterministic and probabilistic encryption schemes. In a deterministic 
scheme, all the encryption and decryption functions E k and D k .., are deterministic functions, while in a probabilistic 
scheme'the encryption function E k can be non-deterministic, namely, applying the function to a message twice may 
result in two different encrypted messages. 

40 [0119] An additive encryption scheme is an encryption scheme whose message space X and ciphertext space Y 
possess some additive structures and encryption function E k = E(k,) : X-> Vis homomorphic with respect to the additive 
structures. Specifically, let X = (X, +, 0) and Y = (Y,e,0) be two commutative semigroups with (possibly different) zero 
elements 0 satisfying, for example, for all x, x + 0 = x and 0 + x = x, and efficient operations + and ©. An encryption 
scheme is said to be additive if, for any k E K and any x, x' G X, E k (x + x') = E k (x) © E k (x'), and the operation © does 

45 not reveal the clear messages x and x\ The last condition on © makes additive encryption schemes non-tnvial. Without 
this condition, the operation © on Y can be trivially defined y © y' = E^D^y) + D^y')); that is 5 it is accomplished by 
first decryptinc) the araumentF : then addina them together and linally re-encryplinp the result. 
jinkO] Closely reisi^c if ^.iiiw: enci option s.cnerr.^ r.r. iv.nllir-ii^fMi-v- n,., . ,.r. tr.crypiion scheme is said to 
multiplicative if its spaces x'and Y have the ring structures (i.e., in addition to their additive structures, they have 

so respective multiplications x and ® that are distributive over their additions + and ©, and multiplicative identities), the 
encryption function E k is homomorphic with respect to the multiplications, E k (x x x 1 ) = E k (x) ® E k (x'); and the operation 
® does not reveal the clear messages x and x\ 

[0121] In general, additive (as well as multiplicative) encryption schemes are not non-malleable, since a non-malle- 
able scheme requires that, given an encrypted message it is (at least computationally) impossible to generate a different 
55 encrypted message so that the respective clear messages are related. Accordingly, they have a weakness against 
active attacks where the adversary attempts to delete, add or alter in some other way the encrypted messages. How- 
ever, when these schemes are used to encrypt documents, extra measures in data integrity and message authentication 
can be taken to reduce risks caused by these active attacks on document integrity as well as confidentiality. Moreover, 
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10 



end users are .ess motivated to initiate active attacks, as the attacks wi.l affect document contents that the users are 

£ST Not^e" -hemes can be defined as ^^^^^^^Z- 
Lryption schemes are designed with a used in the method of 

additive. Nevertheless, there are many examples of addrt,ve ^encry won deterministic schemes). OU 

integer n > 0. The encryption of a message x using a key a is 



y = E a (x) = ax(mod n) 



is and the decryption of a message y using a key a is 

x = D a (y) = a'Vmod n). 



so 



where a"' is the multiplicative inverse of a module , n _ ciph ertext space Y = Zp for some 

sr. rrrr:; sirs:sr«v, « « — 

function is defined as the exponential function 



25 E g (x) = g x (mod p), 

while the decryption function is defined as the logarithm function 
so D g (y) = log g y(mod(p-l)). 



35 



40 
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55 



[0 1 25] Semi-probabilistic EIGama. Cipher (EG) extends the exponential cipher to the E^ama. cipher which leads 
K E Lma. cipher «o run in a semi-probabiiistic ^^J^^^^^La^ number a E 
^ tf^^^ 1 ^^ XSn EX 0 Spends on a un« chosen random 
number r G Z* p .v 

E a (x,r) = (g r (mod p), xa r (mod p)) = (s,t). 
For an encrypted message (s. t), the decryption function is defined as 

D„(s,t) = t(s a )" 1 (mod p). 

,o, 27) This ^ * m*~ — ■ — - — 9 « s ~ *""»"*' u "" 9 * """"" 

number r. i . . Irhivama D roDosed an additive, public-key encryption 

[0128] Okamoto-UchVama, Cipher ^°^^ K ^ C '^ , SS as Secure as Factoring". Eurocry P V 9 8. 
scheme in T. Okamoto and S Uch.yama. A Njw Pubte ^^rLm^c and provab.y as secure as the intrac- 
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n = p 2 q Choose g G Z* n at random such that the order of g p = gP" 1 (mod p 2 ) is p. Let h = g n (mod n). The message 
space X of the OU scheme is the set Z* p (not the set {1 ,...2 k - 1 } as claimed by Okamoto and Uchiyama) and the ciphertext 
space Y is Z n . For a user, a public key is a tuple (n, g, h, k) and its corresponding private key is the pair (p, q) of the 
primes. To encrypt a message x G X, a random number r <= Z n is chosen uniformly. Then,the encrypted message is 

y=E (ntgthtk) (x,r) = g x h r (modn). 

To decrypt the encrypted message y, a "logarithmic" function LT -» T, 

L(x) = (x- 1)p" 1 (modp 2 ) 



is used, where T is the p-Sylow subgroup of Z* p2 , i.e., r = (x£ Z* p2 1 x - 1 (mod p)}. With the function L, the decryption 
15 function is 

x = D pq (y) = Hy^ 1 (mod p 2 ))L(g p )' 1 (mod p 2 ). 

20 [0129] New additive encryption schemes can be constructed from existing ones via the composition construction of 
encryption schemes. The composition construction can also be used to construct additive encryption schemes from 
non-additive ones. For instance, the composition of the exponential cipher Exp and any multiplicative encryption 
scheme S (such as RSA) results in an additive one. 

[01 30] Additive encryption schemes enable blind transformation with partially encrypted data, which serves a foun- 
25 dation for trusted rendering of documents, as discussed above. In particular, additive encryption schemes can be used 
to perform blind transformation of affine functions with clear coefficients and encrypted variables. . 
[01 31 ] Returning to the example of a token-based document, since a token-based document D consists of a dictionary 
T of token images and a sequence of location tables Lj (one for each page image), the idea is to encrypt the content 
of the dictionary T and location tables Lj, resulting in a dictionary V of encrypted token images and tables UjOf encrypted 
30 locations. Recall that the dictionary T consists of a collection of pairs (id[)], tffl). j = 1 . ... m. Associated with T is a 
subroutine Lookup in the rendering process that, given a valid token identifier id, returns its corresponding token image 
t in T. In encrypting the dictionary T, there are three basic choices: encrypting token identifiers, token images, or both. 
Encrypting either identifiers ortoken images helps unlink the connection between the identifiers and their token images. 
In addition, encrypting token images protects proprietary token images. In any case, it is desirable to allow valid access 
35 to the dictionary only within the rendering process P, while making it computationally difficult to obtain a copy of the 
entire, clear contents of the dictionary. This is possible because in many cases the valid identifiers (e.g., Huffman 
codewords) are only a very small subset of all binary strings of up to a certain length, and consequently any exhaustive 
identifier search will not be efficient. 

[01 32] More formally, given the dictionary T and the Lookup subroutine that accesses it, the requirement on encrypting 
40 the dictionary is that the encrypted dictionary T and the corresponding subroutine Lookup' satisfy the following con- 
straints: 

(1) For any encrypted identifier E k (id) ! Lookup'(T,E k (id)) = E k (Lookup(T,id)) and 

(2) Given T and Lookup', it is computationally infeasible to reconstruct T. 

[01 33) For an encryption scheme S, T and Lookup 1 can be constructed as follows . Lei ID be the set of all syntactically 
possible identifiers; in particular ID'cr ID, where ID* = fld I (id.t) 6 T). Let h be ft one-way hash function whose domain 
ii If. . *i i*i, 11.fr fciic.iypierflokfrii dietician i: rivet* lu-r, . & iUiov- : (l 1 , rV i-r : ,u A) pr.ii ii.'. ! (h(ic;,Lj.(l)i 1: 

inserted into T\ The modiliecJ subroutine Lookup' uses the algorithm: 
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Lookup'CTad) 

{ 



id' = h(id) 

t' = LookupCT4d') 

return (0 



} 



—tthere— 
^^^^ 

bim^^^ 

T and Lookup'. ^n^ists of an identifier, and location difference in x- and y-coordmates, 

[0135] Since each entry in a location «* te ^ CTns ** * jolSSSthe location information, an additive encrypt,on 
any combination of the three elements can be encry^ 

scheme is recommended to enable applying ^^^SSSi protection must be made. In a token-based 
For identifiers, a trade-off between document < ^^^^ m . J^the compression purpose. For example, 
document, a token identifier is usually a codeword iden«Ss are the binary Huffman codewords of the 

when the Huffman code is used to compress ^ ™ case , simply using a deterministic encryption 

tokens based on their occurrence ^""^^t^^^^.Thi I. bii««th. •otam.M notetang. 
scheme to encrypt these identifiers offers ~ •^Jj^llum th. number of occurrences of the encrypted 
the occurrence frequency of each token, »" d '^^naneim. Therefore, in order to hide occurrence fre- 
identifiers tore-construct the .Huffman ; cod ^ 

quencies of the tokens in the document it » preferre dto use a p (codewords ) and reduce the document 

r^r^^^^^ 

is one of the design goals for ^^"f^^^.^^suQaested Choose an additive encryption scheme S, preferably 
10136] Areasonab.ecomprom.seforencnrpt^ ou jon and decryption efficiency ,s 

a probabilistic and asymmetric one like the Oka m °W u jnryi » P ft js a|so nece ssary to encrypt the 

not a big problem. For each entry (id.xy) in Lj, nsert ^^^Omi^ V, But in this case, the entries in the 
identifiers, entries like (E k <id).E k (x),E k (y)) ^.^^^^S^La^ Lookup' above also needs to be 
encrypted dictionary T need to be changed to (E k (id),E k lt)) s, an 

modified to reflect the change. token-based document mentioned above, the document content 



process is given shown below. 



Render(D) 

{ 
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fori.= 1 to P do 

{ 

Load Li into memory 

x = E k (xo) 

y = Ek(yo) 

for k = 1 to ELI do 

{ 

x = x © x[k] 
y = y © y[k] 

t = Lookup'CT,id[k]) 
DraW(x,y,t) 

} 

} 

} 

Draw'(x,y,t) 
{ 

x = DnOO 
y = Dk-i(y) 
t = Dk-i(0 
Draw(x,y,t) 

} 



During the process, all the coordinate and token image information remains encrypted before calling the subroutine 
Draw'(x,y,t). This is possible for the coordinate information because the encryption scheme is additive. Consequently, 
the content protection level and rendering process performance of the rendering process rely on the security strength 
and computational complexity of the scheme used. 

[0138] In another embodiment ot the invention, a digital work is. polarized enabling irusted rendering or replay of the 
dipital work without depolarization ol Ihe digital content or Hip presentation data. In this embodiment, the digital work 
is the type which induces dic-ii;.: cc i.tent and resoun* irii on u ifcfci- ■< :M.c i. i yr u n , context). Resource information 
includes formatting informatidn or other information used by a replay or rendering application to convert the digital work 
into presentation data. 

[01 39] Polarization is a type of transformation which renders the original content unreadable or unusable. For a digital 
work w, a polarization scheme T, which uses a seed s, generates a polarized digital work w" according to: w" =T(w, s). 
The same transformation T may also be used to generate the polarized resource information S" according to S' = T{S, 
s). In this example, a seed s is used to make reverse engineering of the polarization scheme more difficult. 
[01 40] For example, a document type digital work may be polarized using a simple polarization scheme. In a docu- 
ment, the digital content comprises a series of characters in a particular order or location. If the document is to be 
displayed on a viewing device, each character must be able to be displayed at a particular location for viewing by a 
user on the viewing device, such as on a monitor. A coordinate system is required for displaying each character on 
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ization functions may be used to polarize the above paragraph: 



35 



40 



45 



50 



Y = by, for the vertical axis; and 
X = x/a, for the horizontal axis. 



V= log^Y), tor the vertical axis; and 
X= aX, for the horizontal axis, 



S,'t.SS- ob..i- » location * a d«~ ' n ft. P-JJ- - J- ^.^ut 
£on ly " V, . <*/a, v.ioo la then app «« .o ^^S^J^2l2,;£»S2£d ..2 o, «. 

°ha oorr.o, location ot f» la displayed on thn nsan. nnonnor. In » ^ lari2ed toms „ 

r c S on,co Mentation and tho digital wo* nt.inta.n an .nhctan ~mp.«n= J P ^ 

the digital work to be protected, different .eve.s of P°*™« >«™ be use* A sen t ^JJ^ ls trusted . a 

of polarization; a lower va.ued work may requ.re a weaker *pe of p o^ «Oon. J r fe ^ ft fewer 

lower level of polarization may be used^An advantage to using a owe ' p 0lari2 ed digital work. The type and 

system resources to create the polarized ^^^^^^^^ **eme to determine the 
quality of the polarization seed may also be used .n corrt binat ™ ™ P containing authorization 

and strength of the polarization. For example a ^"J^jJ^^^o, polarization and strength, 
information from a trusted source or a y am « ^,^^^0 ocation. Digital works are polarized usually 

context - u o . Hiatal work the user oreferably provides information from the user system in which 

[01 46] When a user purchases a digital work, the user P^teraoiy P ° Qenerate the polarization seed for both the 
!he user intends to replay the digital work. This "^^^J^^S^X^ system c0 <* e *>- Then 
polarized digital work and the polarized resource ' nf °^^^2^ 0 ?rM information are provided to the user, 
the polarized digital work and polarized system c °* e *^ 

Aiso.typically.butnotneededfor operation ^^^^^J^S, both the polarized digita. work and 

Si sr ^^t^^~^^ - — dependins on ,he 

encryption scheme used. . f . rf peneratk-i. c 

f re-Mint ,\ i ( i. i ir f < riipiu-i w. il i: ■ c:ivior-f ml< 



55 



-w-r -u.« Pr<.r.e ; : . u, . re ,!,,,. .-. {.<«:<>:<< c.p.u, wm. , ■ • im o.malion. Once the polarization 

L pollution see., po.a.ization o, ,he digital ;^^ to ^^2i n ^tk- as input the digita. work or 

translation function 14 . A digita , work 1410 

[0148] A process tor creating a polarized digital work is ^J^'^^J^^ digit al content into a 
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the digital content is polarized and the resource information is preserved, creating polarized digital work 1422. The 
content polarization 1420 may occur as shown with reference to Figure 9. A digital work typically includes content, 
instructions and formatting. While polarization can occur to the entire digital work, preferably only the content is polar- 
ized; the instructions and formatting are not polarized. However, in some instances, for some replay applications, some 
5 of the resource information contained within the digital work may also be polarized. This is similar for the format pre- 
serving encryption method described above. 

[0149] Resource extraction 1412 extracts at least one resource information from the set of resource information 
associated with digital work 1410. Extraction consists of copying the resource information into a system resource file 
1414. System resource 1414 is then polarized at resource polarization 1416 to become polarized system resource 
10 1424. The polarization scheme for content polarization and resource polarization need not be the same. Preferably, 
each polarization scheme employs a polarization seed 1418 which is generated by seed generator 1426. Several 
exemplary methods for seed generation are described below. In particular, in a preferred embodiment, the polarization 
seed is based on unique information from the user's system. 

[01 50] Several techniques for generation of the polarization seed may be used. For example, a seed generator which 
is generates a number from a random number generator may be used. This method, referred to as stateless polarization, 
does not depend on any secret key information and user system information. The process for stateless polarization 
yields a specific value for the system for polarization. The inherent vulnerability for digital security systems may be 
found in mishandling secret information, mathematical complexity, and algorithmic complexity. Eliminating the secret 
information seals off one target of attack. With stateless polarization, a random number generator produces the polar- 
20 ization seed. In this case, once the polarization process is complete the seed is discarded without a trace. Hence, the 
security of the system is free from attack focused on compromising the secret information, and the user need not 
divulge sensitive information that may be deemed a privacy violation. 

[0151] Another seed generator that may be used is a state-based generator. The state-based seed generator con- 
structs a seed by first acquiring system state information from the user's reptay system or rendering device. System 

25 state information includes hardware identifiers, system settings and other system state-related information. While there 
is much value in stateless polarization, other security requirements may require use of an inseparable link to a particular 
user system or device. By generating the polarization seed from system/device-specific information, the polarization 
engine will produce a digital work that is polarized to a form that corresponds to a specific system/device. 
[0152] The polarization seed generator can also be tied to an authorization process. In authorization-based polari- 

30 zation, the seed generation can be tie in with the outcome of the authorization process. A separate authorization 
repository (which is a trusted source) provide authorization information as part of some other security feature associated 
with delivering access to a digital work to a user. The trusted source of authorization information may be an online 
authorization repository as described in US Patent No. 5,629,980. This authorization information is then used to gen- 
erate a polarization seed. 

35 [0153] If a stateless polarization seed is used, the digital work and its resource information may be polarized and 
stored together for delivery to a user when a user purchases the associated rights of use for the particular digital work. 
If one of the other polarization seed generation methods is used, polarization typically must wait until the user provides 
the system state or authorization information before the digital work and resource information may be polarized. 
[0154] An embodiment which provides a higher level of protection in terms of ensuring that the digital work may be 

40 replayed only on a specific physical system or device uses a dynamic state-based polarization seed. In this embodi- 
ment, a polarization engine and polarization seed generator must be provided to the replay application or rendering 
device along with the digital work and resource information. In this embodiment, the digital work and resource infor- 
mation are polarized prior to replay and rendering using a seed which is generated based on the dynamic state of the 
particular system or device. The dynamic state may come, for example, from the system clock, CPU utilization, hard 

45 drive allocation, cursor coordinates, etc. By polarizing the work using a snapshot of a dynamic state, the work is locked 
to a particular system configuration (i.e., state) in time. Polarization of the digital work, and ultimately its blind replay 
(described below), is based upon a dynamically evolving stale. The evolution of the dynamic stale does not yield unique 
scrcrei information thc.i £ln«v.-j- repefaiubiiiiy <" ! ! ti.v. piiiuuf.u-*;. i-mci-s: : .':iic in-.iu.o u; Mamie-state based polarization 
makes compromising the polarized digital work and system context more difficult. Since the polarization process is 

so carried out within a trusted system, it is implied that the process can not be deconstructed. 

[0155] The actual process of polarization can be, as described in the example above, an algorithmic-based trans- 
formation -parameterized by the polarization seed. During polarization, the data and resource identifiers of the digital 
work are transformed as described above. The structure of the digital work is unaltered, however, such that the original 
format, such as PDF, DOC, WAV, or other format, is retained much like in the format preserving encryption. Similarly 

55 the polarization of the resource information yields a polarized form of the resource information such that the resource 
identifiers, element identifiers and resource characteristics are transformed, yet the structure of the system context 
remains unaltered. By polarizing the digital work and resource information according to the same seed based on a 
user's specific device or system information, an inseparable relationship is established such that the work cannot be 
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replayed to its c.ear torn, with any other device or user system. If circuited in an unauthorized manner, the protection 

remains in effect. ^o^onetir* of the Dolarized resource information enable the replay appli- 

[01 56J During blind replay, the unique charactenst.es ™e poianzec . entatjon data . Because the 

cation to property replay the polarized digita. ^J^^^^SZ^ polarized elements of the 

tected until the last possible moment aner replay h web - s relative , y straightforward. 
[0 1 571 As discussed earlier, the conventional audience and replayed in a viewer or 

The work is created using an editor, SSSSi digita. work (or if the content owner trusts all 

™X ,n the CeaAe., w.hout any encoding, encryption or 

other protection for direct use by any icall stored in memory . if the digital work is 

1512. in Ihe case of a document or other type ol d.g.lal won .wn«n m particular syetem corneal 

nya.,nn,thedignr»»».K- l .^ 

into presentation data 1514. „„„ ortino th _ diaita , contet .t into presentation data is sufficient for use by the 

[0160] In some replay appl.cat,ons, ~^* n 9 d 'J"' mlJ P st be furth er converted. For example, in the 

user, in others, presentation data ,s only an ^"f^^^^J, must be further rendered by rendering 
case of a display system 1524 ^^^^J^^JSL the printer. Rendering application 1518 
application 1518. Rendenng application 1518 may °« 8 J^™ p g14 jnt0 image data 152 0. Image data 1520 is 
uses other system resources 1 51 6 to transf ^^^V^^ ca a Ta printer, output as a printed document) . 
in aform which can be directly displayed on digital work during replay, a digita. 
[01 61 ] in addition to the earlier described ^f*?"^^ a f irs t polarization scheme which 

work may be protected during rep.ay by ^^S!SS^^ infomiatton. A portion of the digita. work's resource 
produces polarized content and preserve^ ^^^ ^^^ ^ Referringt ° ^ ^ 
information is copied and polarized in a^an" witha f^S fa^dany other system resource information 161 6 that 
application 1612 uses the polarized resource '^^at.on 1614 , W™*™**? dala 1618 . Presen tation data is 
r^y be required) to transform the screen capture uti.ity program). 

ssrs: ess ^sz^z^™ ^ - ~ not o< the same fide,ity as the 

SSS? & source "n^ 

digital content into a clear image (presentation drt f^ 8 J^^ t " ^ JJ r d i gital content. Blind rep.ay operates 
which can be any commercial application . does not ^ « J£ polarized digita. content, w is the c.ear 

for any transformation lunction R, such that R(w ,s - ^f'™™™"-^ resource information. Blind replay of 
digita. content, g> is the polarized resource ^formation ^^i' d TerenU om bHnd transformation described above in 
polarized digital works using polarized ^ource nfo mat o „. In blind transformation, the replay 



application convert, 

c: , tw mm-, ooftt m-i » w h.*- wipi*. «^ ,lt ; 1 vv< " f '^' olar ' i2ed diqita i WO rk and polarized resource information 
[0163] B.ind replay (also called bl ^ ^ndenng) us.ng_ » P^^*'^ „ to encryp tion. For example, 

can be used a.one to protect the digital work during ? repfcy as well as m add, g diribution> then 

the polarized digital work and polanzed resource '^J™*™ I^aS Source information. The user must first 
decrypted at the user's system into the P 0 ^^^^^^^. of the content owner (in order to decrypt 
obtain permission from the content owner or the distr butor actin^ 9 jn beha ^ ^ ^ 

rendering a digita. work into a usab.e form for viewing by a user can be used to further 
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protect the digital work during replay. Referring to Figure 1 7, polarized digital work 1 71 0 is provided to replay application 
1712 which uses polarized system resources 1716 and other system resources 1718 to transform polarized digital 
work 1710 into partially polarized presentation data 1714. In this embodiment, display system 1728 is needed to trans- 
form presentation data into a form usable by the user. Partially polarized presentation data 1,71 4 is provided to rendering 
application 1720 which uses polarized system resources 1716, local system resources }722 and system resources 
1 71 8 to transform the partially polarized presentation data 1714 into clear image data 1 724. Clear image data 1 724 is 
then displayed on display device 1726 for use by the user. In this embodiment, presentation data is still polarized, 
taking the location of the clear data to a later point of the display process and providing further protection. 
[0165] To enhance usability of the system for polarization of digital works, the polarized resource information may 
be separated from the digital work and tied to a transportable device such as a smart card. In this embodiment, the 
replay application 1 71 2 plays back the work using the polarized system resources 1 71 6. Instead of having the polarized 
system resources 1716 stored in a local memory, along with the polarized digital work, 1710, the polarized system 
resources 1 71 6 is stored in a transportable device such as a smart card. Also, the smart card, possibly with hardware- 
enhanced features, may possess attributes that provide for tamper resistance. Within the transportable context, the 
polarized data is processed by the replay application 1712 to yield the partially polarized presentation data and then 
provided to the rendering application 1720. 

[0166] Many different types of digital works can be protected throughout use using the polarization method. For 
example, if the digital work is a document or text file, the replay application may be a word processor, system resources 
or resource information may include font tables, page layout, and color tables. If the digital work is audio or video data 
(e.g., streams), the replay application may be an audio or video player. The presentation data will be the audio/video 
final data stream. The display system may be an audio/video device. The rendering application may be the audio/video 
device driver. The image data may be the audio/video device data stream and the display device may be the audio/ 
video rendering device (speaker or monitor, for example). 

[0167] For a digital work that is an audio/video data stream, the system resources or resource information may 
include characteristics of the audio/video device: sample rate (samples per second - e.g., 8 kHz, 44.1kHz), sample 
quality (bits per sample - e.g., 8, 16); sample type (number of channels - e.g., 1 for mono, 2 for stereo), and sample 
format (instructions and data blocks). A table of some audio/video data streams and their corresponding resource 
information or variable parameters which can be selected for polarization is set forth below: 

Table 1 : 



Digital Work: A/V Data (Streams) 




Extension 


Origin 


Variable Parameters (#Fixed) 


Compression 


Player 


.mp3 


MPEG standard 


sample rate, quality, #type 


MPEG 


MP3 Player 


.ra 


Real Networks 


sample rate, quality, #type 


Plug-ins 


Real Player 


.wav 


Microsoft 


sample rate, quality, #type 


ADPCM 


Window Media 


.snd 


Apple 


sample rate, #quality, #type 


MACE 


QuickTime 
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[0168] The structure of a digital work can be used advantageously for polarization. While it is possible to polarize 
the entire digital work, it is more convenient to polarize only a portion of the digital work. Most digital works include 
three primary elements: instructions, data, and resources. Preferably, only the data and resources of the digital work 
are polarized, much like the format preserving encryption method described above. By selectively transforming only 
the data and resources, a digital work may be transformed such that the content remains in the original format, yet the 
data and resources are incomprehensible. 

[0169] The general layout ol a digital work of the document type is shown in Figure 16. In Figure 16, digital work 150 
inclnder Pane- Oercriplci if: , Ccnlrol rccic-.j -.!■/.. Tf t anr' *\C: , Rejourn loc-i.iili. : ■! f : tfiir! Patf- 160 anc- 1M. lin- 
kage Descriptors 162 deline rfhfc general layout oi b work. For instance, me pay* tizt, page numtiei, anc margins fah 
into the category of Page Descriptors with respect to digital documents. Control Codes 154, 158 and 162 are similar 
in that they describe the presentation of the content. Examples include commands to set text position, output text, set 
font type and set current screen coordinates. Resource Identifiers 156 simply reference the desired resources. In the 
digital document realm, resources could vary from font typeface to background color. Finally, Data 1 60, 1 64 represent 
the core information communicated by the digital work. This could be the drawing coordinates used in a multimedia 
clip or the character codes for rendering as a digital document. 

[01 70] An example of a digital work (in this case a simple digital document) and one of its polarized forms are shown 
in Figures 1 9 and 20, an HTML document in clear and polarized form. The tags <html> and <body> are Page Descrip- 
tors The <font>...<\font> tag is an example of a Control Code for setting font resource characteristics, while "Arial" 
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,0,71] Figu-e 20 shows whatths d, 9 aal ^«J^£V™£ *b»*r> and <for*> tags ars unchanged. Wha.aas. 
Dascripior and Con,,o, Carfa ug. • «~»^ ^^JSdphs^le vahL Simil.dy. tha Dats. "H* 

RealNetworks RAM, Apple QuickTime, etc. information) can be thought of as the collection of 

[01721 The system context (or system 

system resources available to a^"^?' C n a work is input to a replay application, the replay 
Color Palette, System Coordinates and Volume Setting, wnen g tran sform the digital content 

a pp,ication uses the P ^^^ 

into presentation data. Each system context or w« required element for the use of the 

to be unique to a system lor which « can be ^^J^X^t^or replay application tor replay. The 
digital work, tying use of the digital wor - to a spec^ sy tern o rp ys^a 'JJ^ e|ements contalned 

Resource Identifiers and Data within the digital work may eitner ai y tendering into dear presentation 

within the system context. Polarizing the ^^^SS^S^ system' the resulting polarized 

^o^S 

(ResID), element identifier (Elem.D), and resource ^C^Z^Toi an indivla. e.ement 

the letter 'a'. cuctpm con text for the font resource shown in Figure 22. The 

[0175] Figure 23 is an i.^ 

resource identifier itself is transformed to k1 3k2 ^^emenx « oe transformed to express the 

enough to transform the resource charactenst.es alone. In this case. 48 oep 

characteristics for T instead of 'a'. different types of digital works. In addition to docu- 

into a video image. rorresDonds to an audio/video player which generally operates 

[0177] Referringto Figure 17, replay application 17 ^^^rrespondMo an P y accepted b a targe t audio/ 

D y sampling the audio/video input streams 17 0 « some s ^^^^^^ streams and then 
video device. It uses the aud,o/v,deo system resources JJ^llISo stream in a format expected by the target 

s^'ate, quality, type and format expected b> ^some hardware system that is able to 
[0178] The target audio/video dev.ee (e g rendering a PP h ^^ ' quality, type (channel) and lormat 

conven the audio/video stream cpresen.at.on data 1714) 6 " « -.J^ound cards, speaker, , 

„.,., pa. orNTPMH ,r, r,,i,< -^/v.d^dat^ --^^^ oevjcfe .^ any devices are able to P .ay audio/ 
monitor* and the digital 10 analog convene located w^'^ y nal or a vide0 image str eam) is 

video streams at a range of different ^•.^^2^Kif*» device 1726. 
generated by the audio/video dev.ee dnver 1720 and consumed I by the a p y ^ 
?0179] For example, to polarize - aud.oMdeo da ^^^^J^ device characteristics (resource 
stream is polarized and one Stream is unpo ^ nze6 ^^^ m s ^ ate6 witn it . Tne device characteristics (one or 

iS°»r bITopS o, ,ha poia^d audio/video ..-asm is accampiishad in a sMia, manna, as .0, a ppiahiad <** 
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document. The replay application (audio/video player) mixes together the unpolarized stream and the polarized stream, 
and using the polarized resource information, produces a polarized final data stream for the target audio/video device 
with a correct set of resource information. The target device (1 720) uses the polarized resource information to play the 
polarized data stream generating clear sound/visual effects (1 724). , 

[0181] While certain exemplary embodiments of the invention have been described in detail above, it should be 
recognized that other forms, alternatives, modifications, versions and variations of the invention are equally operative 
and would be apparent to those skilled in the art. The disclosure is not intended to limit the invention to any particular 
embodiment, and is intended to embrace all such forms, alternatives, modifications, versions and variations. For ex- 
ample, the portions of the invention described above that are described as software components could be implemented 
as hardware. Moreover, while certain functional blocks are described herein as separate and independent from each 
other, these functional blocks can be consolidated and performed on a single general-purpose computer, or further 
broken down into sub-functions as recognized in the art. Accordingly, the true scope of the invention is intended to 
cover all alternatives, modifications, and equivalents and should be determined with reference to the claims set forth 
below. 



Claims 

1. A method of protecting a digital work, z, during transformation by a transformation function, F, into presentation 
data F(z), comprising: 

encrypting the digital work, z, in accordance with an encryption scheme, E; 

using a blind transformation function P to transform the encrypted digital work E(z) into encrypted presentation 
data, F'(E(z)), wherein P is a function of F; and 

decrypting the encrypted presentation data, P(E(z)), in accordance with a decryption function, D, to obtain 
the presentation data, F(z), wherein D(P(E(z)) = F(z). 

2. The method of claim 1 , wherein the encryption scheme E is a format preserving encryption scheme. 

3. The method of claim 1 , wherein the encryption function E is an additive encryption scheme and wherein P = F. 

4. The method of claim 3, wherein the additive encryption scheme is selected from the group consisting of Mult, Exp, 
EG, OU, RSA and compositions thereof. 

5. The method of claim 1 , wherein P is a polynomial of F. 

6. A system of protecting a digital work, z, during transformation by a transformation function, F, into presentation 
data F(z), comprising: 

an encryption engine for encrypting the digital work z in accordance with an encryption scheme, E; 

a blind transformation function P for transforming the encrypted digital work E(z) into encrypted presentation 

data, P(E(z)), wherein F is a function of F; and 

a decryption engine for decrypting the encrypted presentation data, P(E(z)), in accordance with a decryption 
function, D, to obtain the presentation data, F(z), wherein D(P(E(z)) = F(z). 

7. The system of claim 6, wherein the encryption scheme E is a format preserving encryption scheme. 

i . 1 he fysiervi ol claim ( . »vii«*iw. the- encryption lunctii-i. ■. ?^r!iiu-r o rinvphor. scheme and wherein P = P. 

i 

9. The system of claim 8, wherein the additive encryption scheme is selected from the group consisting of Mult, Exp, 
EG, OU, RSA and compositions thereof. 

10. The system of claim 6, wherein P is a polynomial of F. 



27 



EP 1 146 715 A1 




Royalty 
Payments 



payment 



12 o^ Payment 



Clearinghouse 



122 



132 



Report 



FIG. I 




Encrypted 
.Documents 



Private 
Key 



214 



212 



Decryption 



216 




Clear 
Content 




Rendering 
Application 



FIG. 2 

(Prior Art' 



28 



1146715A1J-> 



EP 1 146 715 A1 



i 




FIG. 3 




FIG. 4 



29 



EP 1 146 715 A1 



Executable Code 


^-524 
* — 526 
^-528 
^-530 
, — 532 




Rights Enforcer 




Polarization Engine 




Depolarization Engine 




Secure Viewer 




Rendering Engine 








Rights & Permissions 




Content 


^518 
s—520 




Document Meta - Info 




Rights Label Info 




Protected Content j 


s—522 







^-512 



514 



FIG. 5 



\ 
t 



30 



EP 1 146 715 A1 




31 



EP 1 146 715 A1 




CD 




i 



32 



EP1 146 715 A1 



j 
i 





33 



EP1 146 715 A1 




34 



EP 1 146 715 A1 




35 



EP1 146 715 A1 




36 



EP 1 146 715 A1 




37 



EP1 146 715 A1 




i 
i 



38 



EP 1 146 715 A1 




39 



EP1 146 715 A1 



Q 



a 
o 



Q 




o 

•T-( 



oo 



5 

CS 
O 

U 



O 

so 



c 
o 



OJ) 



8 



£ o 



A 

1 

CO 

"il -o 

£ c 
S £ 

V 33 



el V- 



c s 



ON 

• < 

PL, 



40 



1NSDOCID <EP 1146716A1_L> 



\ 



EP1 146 715 A1 



o 

PL, 




O 

CO 

c 

o 
JS 

U 



Q 

53 



2 














oo 







On 



m 
CM 







Arial 






OO 



41 



EP1 146 715 A1 




European Patent 
Office 



EUROPEAN SEARCH REPORT 



Application Number 

EP 01 10 7388 



DOCUMENTS CONSIDERED TO BE RELEVANT 



Category 



Citation ot document with indication, where appropriate. 
of relevant passages 



Relevant 
to daim 



RAMANUJAPURAM A ET AL: "DIGITAL CONTENT & 1-4,6-9 
INTELLECTUAL PROPERTY RIGHTS A 
SPECIFICATION LANGUAGE AND TOOLS FOR 
RIGHTS MANAGEMENT" 

DR. DOBB'S JOURNAL, M&T PUBL., REDWOOD 

So^' 23^0^*2, December 1998 (1998-12), 
pages 20-22,24,26-27, XP000997135 
ISSN: 1044-789X )f . in 

* page 20 - page 26 * iu 

* figures 1-4 * 

US 5 768 390 A (MATY AS OR STEPHEN MICHAEL !l-10 
ET AL) 16 June 1998 (1998-06-16) 5 

* abstract * 1C 

* column 4, line 54 - column 8, line 15 * 

* figures 2-10 * 



EP 0 932 298 A (CANON KK) 
28 July 1999 (1999-07-28) 

* abstract * , 14 . a n 

* column 14, line 23 - column 26, line 52 

* 

* figures 1-3,6 * 

W0 99 16205 A (AEG1S0FT CORP) 
1 April 1999 (1999-04-01) 

US 5 586 186 A (ERNST MICHAEL ET AL) 
17 December 1996 (1996-12-17) 



1-4,6-9 



CLASSIFICATION OF THE 
APPLICATION (mtCIT) 



H04L29/06 
G06F1/00 



TECHNICAL FIELDS 
SEARCHED Ont.CL?) 



G06F 
H04L 



The present search report has been drawn up tor all aatmr 



THE HAGUE 



22 August 2001 



Jacobs, P 



CATEGORY OF CITED DOCUMENTS 

X particularly relevant if taken alone 

y ■ particularly relevant it combined with anoiher 

document ot the same jnategory 
A : lecnnological background 
O : non-wraten disck>surd 
p : intermediate document 



1 • theory or principle underlying the invention 
E* eartier patent document, but published on. o- 

atter the tiling date 
D document cited in the application 
L . document cited tor other reasnns 

iTm^ofiEMMfS taml'ty. corresponding 
document 



42 

BNSOOCID <EP 1 1 6A1_L> 



EP 1 146 715 A1 



ANNEX TO THE EUROPEAN SEARCH REPORT 

ON EUROPEAN PATENT APPLICATION NO. » EP 01 10 7388 

i 



This annex lists the patent family member s relating to Ihe patent documents cited in the above- mentioned European search repoft. 
The members are as contained in the European Patent Office EDP file on 

The Euiopean Patent Office is in no way liable for these particulais which aie ineiely given tor the purpose of infoimation. 

22-08-2001 



Patent document 




Publication 




Patent family 




Publicatior. 


cited in search report 




date 




member (s) 




date 


US 5768390 


A 


16-06-1998 


NONE 








EP 0932298 


A 


28-07-1999 


JP 


11212460 


A 


06-08-1999 








JP 


11212461 


A 


06-08-1999 








JP 


11212462 


A 


06-08-1999 








CN 


1239378 


A 


22-12-1999 


W0 9916205 


A 


01-04-1999 


US 


5991402 


A 


23-11-1999 








AU 


9401198 


A 


12-04-1999 








BG 


104353 


A 


28-02-2001 








DR 


9812832 


A 


08-08-2000 








CN 


1306712 


T 


01-08-2001 








EP 


1018237 


A 


12-07-2000 








PL 


342264 


A 


04-06-2001 


US 5586186 


A 


17-12-1996 


NONE 









e 

5 

?. For more details about this annex : see Official Journal of the European Pateni Office, No. 12/82 



43 



This Page is Inserted by IFW Indexing and Scanning 
Operations and is not part of the Official Record 

BEST AVAILABLE IMAGES 

Defective images within this document are accurate representations of the original 
documents submitted by the applicant. 

Defects in the images include but are not limited to the items checked: 

□ BLACK BORDERS 

□ IMAGE CUT OFF AT TOP, BOTTOM OR SIDES 
@ FADED TEXT OR DRAWING 

M BLURRED OR ILLEGIBLE TEXT OR DRAWING 

□ SKEWED/SLANTED IMAGES 

□ COLOR OR BLACK AND WHITE PHOTOGRAPHS 

□ GRAY SCALE DOCUMENTS 

□ LINES OR MARKS ON ORIGINAL DOCUMENT 

□ REFERENCE(S) OR EXHIBIT(S) SUBMITTED ARE POOR QUALITY 

□ OTHER: ■ 

IMAGES ARE BEST AVAILABLE COPY. 
As rescanning these documents will not correct the image 
problems checked, please do not report these problems to 
the IFW Image Problem Mailbox. 



THIS PAGE BLANK (uspto) 



